Windows Server

4 Improved Security Features in Windows Server 2008

The next generation of Microsoft’s Windows based server code named Longhorn, and now officially released as Windows Server 2008, is the next in line successor to Windows Server 2003. As with Microsoft’s latest client OS Vista, Server 2008 offers a variety of security enhancements including, an improved firewall, hard drive encryption, expanded Active Directory controls, ISV security programmability, network access controls as well as a host of other updated and improved security technologies. Programmed from the same code base, Server 2008 and Vista offer a server/client environment that is secure out of the box but also provides administrators with the tools and technologies to harden and manage security in today’s fast changing distributed networked landscape.

1. New and Improved Windows Firewall and Advanced Security Features

Server 2008 includes the new and enhanced version of Windows Firewall a vastly improved package over the original Windows Firewall first distributed in XP SP2. Microsoft has given administrators a fully functional stateful host based firewall solution which allows for advanced configurations. Incoming and outgoing filters can be configured against advanced rule sets to filter source and destination address, ports, services, protocols and even interfaces. The firewall is preconfigured out of the box to deny all non-sourced requests from the outside network and to allow all outbound traffic. Although you can configure basic settings via the control panel as with the previous Windows Firewall, you cannot access the advanced configuration.

Advanced configuration tasks must be completed using the MMC snap-in, named Windows Firewall with Advanced Security. The snap-in is available via the Administrative Tools. Advanced security features include full integration with Active Directory users and groups, and also remote client configuration via both the snap-in and command line. Also new to the Windows Firewall is IPsec integration which makes for a much simpler IPsec configuration and avoids conflicts with firewall rules, since both are programmed via the same interface.

2. BitLocker … The Quest for Security and Protection

On the fly drive encryption is the latest technology in the quest for secure computing and data protection. Windows Server 2008 included BitLocker Drive Encryption utility which combines two key technologies for the protection of sensitive data, drive encryption and boot integrity checking. While servers are not as exposed to physical hardware theft as a mobile computer there are still many instances where hardware loss and data theft can occur, such as with hardware repairs, or loss during business relocation. Bitlockers allows administrators to encrypt the entire OS volume as well as any data volumes present on the server, but the OS and data volumes cannot be decrypted separately; if the OS volume is unlocked so are the data volumes. Also, it is important to note that Bitlocker only has the capability to encrypt logical drives, not physical drives.

Bitlocker however, is not installed by default with Windows Server 2008, but may not be desirable in some server environments; it also does not support cluster configurations. Bitlocker’s integration with the Trusted Platform Module specification provides offline tamper proof integrity on a hardware level. Bitlocker configuration is provided by a simple to use wizard. Administrators can also use the Windows Management Instrumentation (WMI) interface which also supports scripting. A recovery console allows support personal to easily gain access to a locked system using the appropriate keys or pin numbers.

3. NAP … The Challenge of Keeping a Healthy Network

In todays connected and mobile environments keeping unsecured computers from accessing and possibly infecting the internal networks of a business is a constant challenge. Network Access Protection (NAP) is a new platform that allows administrators to dynamically control computer network access restricted by a set of administrator defined system health rules. NAP offers a three pronged approach:

Health State Validation – by defining and validating system for any computer connecting to the network

Limited Access – by offering restricted network resource access to computers that are non-compliant and unable to update to meet requirements

NAP greatly reduces the workload of keeping in-house computers up to date with the latest security applications. It also allows visiting and remote computers to access network resources while mitigating possible security breaches because of the unknown health status of outside or transient computers systems.

4. ASLR and Additional Enhanced Security Features

Address Space Layout Randomization (ASLR) is a security programming mechanism that guards against the all too common buffer over run exploits. In a nutshell ASLR randomizes where code loads into memory. The effect is to make any exploit that requires the memory load location of an executable ineffective, because the attack code has no way to predict the memory location where the targeted binary will load. ASLR is used on many different OS environments and is seen as an effective security defense. In addition, ASLR is enabled by default in Windows Vista and Windows Server 2008.

Other security enhancements integrated in Windows Server 2008 include an enhanced Active Directory which features improved identity, certificate and rights management, and domain control mode for remote domain servers. There is also an improved Terminal Service with the ability to share single applications rather than the entire desktop and allow secure remote connections via https. Improved IIS security features and support for 256-bit AES encryption for the Kerberos authentication protocol are also included

Overall the new OS from Microsoft offers much needed enhanced security features. Microsoft programmers have addressed many shortcomings of previous OS releases and at the same time improved usability and stability.